LadyGeek wrote:retiredjg - I see your point, but wouldn't your suggestion be better located in the forum policy, specifically in the Usernames (accounts) section?

It would not hurt to put it there, but I don't think it will reduce the number of times this issue occurs. People don't read. When they do read, they don't read that far down and they read less thoroughly as they go. And truthfully, who looks for policy on usernames before inventing their username?

If the decision makers don't see this as a problem, then don't do it. I know it should not be a problem (people should know better), but I also know it is a problem and it happens repeatedly and unless there is some software difficulty in doing it, it would not take much effort on someone's part to help avoid the problem.

Mostly, I just can't figure any logical argument not to do it. I'm a bit stumped.

Bottom line - this is not my forum and I don't get to make rules here. I do get to make suggestions and that is what I have done. You folks do what you think is best.

Changes to forum policy (including the registration info) are decided by the site owners, Alex Frakt and mingstar (with guidance from the Advisory Board). It's my job to make sure the forum follows this policy, not to set it.

I've requested Alex Frakt to post in this thread. If he agrees with your suggestion, it will be done.

To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.

retiredjg wrote:Nisi, I had not considered there might be some software limitations about this request.

What I had in mind was something like this.

"If you are seeking financial advice, a significant amount of personal information may be requested. For this reason, consider an anonymous username instead of a username that relates to your actual identity."

Just something simple that will remind people to actually think about what they are doing.

... and maybe a little checkbox to indicate they read and understood that informational tidbit, before allowing them to continue?

jhfenton wrote:I essentially use my real name. I assume that I am completely identifiable and that everything I say can be traced back to me.

This is largely true. Unless one goes to extraordinary lengths to prevent cookies and uses a VPN to mask they true IP address and so on the data aggregators are able to compose a very accurate portrait of every web user interests no matter what screen name they may use.

Still I would use a screen name and a different one for each website that I log onto. It prevents the casual user from seeing a name and wondering if that is the same J H Fenton I work with.

If your J H Fenton runs and talks about investing and politics all of the time, then c'est moi!

I can see where you might want to ask a question on Bogleheads.org that is super sensitive (e.g. family or work-related), and in that case it makes sense to use a pseudonym. That hasn't been the case for me.

In my case, I've used jhfenton@xxxxx.xxx or jhfenton in many places for nearly 30 years (Fidonet in the mid-80's, college email in the late 80's). Currently that includes Facebook, Yahoo, Gmail, and Twitter. I've been on city council. I've been a political activist. If you search long enough you can find out that I won the 2012 Salmon Marathon and had kidney cancer two years ago. As a practical matter, I don't post anything on the Internet that I consider private. (Although if I did, I would use a VPN and a pristine virtual machine using a secure browser.)

I have two-factor authentication on any account that matters. If you want to hack my Spurstalk account and bad-mouth Tim Duncan, then I guess I'm at risk for that.

You are so right, the majority of people write comments on the internet thinking in their heads that "it will disappear or go away" as if it were an ephemeral real face to face conversation; but the reality is that what they wrote will stay forever (most likely) in servers and can be used years later. Even that silly thing they said when they were teen-agers. Can a teenager that is on Facebook today be a president in 50 years? . Imagine the press on his early life.So when you write things anywhere on the internet (including emails!!) You can assume that it will be there for many years, it is like your conversation has become perpetual.

We used to get a class in anti-trust law every year at my old Mega-corp, taught by our chief counsel. One thing I remember clearly was his statement that the "e" in "e-mail" stands for evidence. Assume everything you send in an email will be discovered. Anonymous websites have a bit more privacy (if you choose an anonymous user name), but it's probably the best policy to assume that someone could connect the dots, even without a government subpoena.

cadreamer2015 wrote:We used to get a class in anti-trust law every year at my old Mega-corp, taught by our chief counsel. One thing I remember clearly was his statement that the "e" in "e-mail" stands for evidence. Assume everything you send in an email will be discovered. Anonymous websites have a bit more privacy (if you choose an anonymous user name), but it's probably the best policy to assume that someone could connect the dots, even without a government subpoena.

My former boss never understood that, and we're a public agency, so we have FOIA requests to be concerned about as well. And yet, some of the emails that came from that boss.... I'd cringe if the media had requested them and published them.

So that's my personal metric when deciding when to post or email (anonymously or otherwise): would I cringe if it was published in the local media. On some websites, where the tendency to inflame runs deeper than it does here, I end up canceling as many comments as I end up submitting. Here, it's a little safer to submit comments, particularly since all of my salary information is also subject to FOIA requests so I have less financial privacy than the average poster.

cadreamer2015 wrote:We used to get a class in anti-trust law every year at my old Mega-corp, taught by our chief counsel. One thing I remember clearly was his statement that the "e" in "e-mail" stands for evidence. Assume everything you send in an email will be discovered. Anonymous websites have a bit more privacy (if you choose an anonymous user name), but it's probably the best policy to assume that someone could connect the dots, even without a government subpoena.

My former boss never understood that, and we're a public agency, so we have FOIA requests to be concerned about as well. And yet, some of the emails that came from that boss.... I'd cringe if the media had requested them and published them.

So that's my personal metric when deciding when to post or email (anonymously or otherwise): would I cringe if it was published in the local media. On some websites, where the tendency to inflame runs deeper than it does here, I end up canceling as many comments as I end up submitting. Here, it's a little safer to submit comments, particularly since all of my salary information is also subject to FOIA requests so I have less financial privacy than the average poster.

I have probably sent tens of thousands of emails and never had any indication that anyone besides the recipients read any of them. Maybe they are being read regularly and I just don't know? How would one go about reading someone else's email if it were not sent to them?

Server log/capture...I work at a financial mega and they do this for email and chat...and they make it very clear in company policy handbooks that they "may" do so...though I'm not sure how much it really prevents...In fact, there was a recent article describing what GS scans for...http://www.independent.co.uk/news/busin ... 88031.html

munemaker wrote:...I have probably sent tens of thousands of emails and never had any indication that anyone besides the recipients read any of them. Maybe they are being read regularly and I just don't know? How would one go about reading someone else's email if it were not sent to them?

It's rather well known that the National Security Agency reads all email traffic, especially encrypted transmissions and those written in Arabic and Korean.This, of course, is of no concern to those of us just minding our own business...

munemaker wrote:I have probably sent tens of thousands of emails and never had any indication that anyone besides the recipients read any of them. Maybe they are being read regularly and I just don't know? How would one go about reading someone else's email if it were not sent to them?

If you're a journalist, you send a FOIA (Freedom of Information Act) request to the government agency requesting all emails related to xyz business being conducted by that agency. The agency then uses a search feature to extract all emails that might contain that phrase from the archive server (where all emails are stored for the legally mandated period). They then have an employee review those emails to make sure they're all actually relevant to the FOIA request and contain no confidential information. A subpoena works similarly, except that confidential information might be released depending on the nature of the subpoena.

And, as already mentioned, emails are plaintext messages (as are text messages). This means anyone between you and the recipient could theoretically read the email, such as the person administering the email servers. A joke among system administrators is "I read your email", although that rarely happens because it's not ethical to do so. Most of the time, system admins just need to read the email envelope (from, to, subject, etc.) to be able to diagnose yet another "I can't read my email" tech support call. But it is technically possible to read the whole email as it passes through the servers or while it sits on the recipient's email server.

I'm not worried so much about revealing usernames (although I concede that it may be a problem for the unwary) as I am about a security breach of the forum as a whole. Imagine what would happen if an attacker got in and got a dump of the database. Combining the the email address with the content of the posts, I shudder to think of the social engineering attacks that could be used (given knowledge about living area, bank accounts, approximate time of investments). I can see attackers gaining access to accounts ($$$) and leveraging the information gleaned from those accounts to extend the attack further.

randomizer wrote:I'm not worried so much about revealing usernames (although I concede that it may be a problem for the unwary) as I am about a security breach of the forum as a whole. Imagine what would happen if an attacker got in and got a dump of the database. Combining the the email address with the content of the posts, I shudder to think of the social engineering attacks that could be used (given knowledge about living area, bank accounts, approximate time of investments). I can see attackers gaining access to accounts ($$$) and leveraging the information gleaned from those accounts to extend the attack further.

Minimized risk by using two techniques:

(a) Always use unique passwords on all websites and don't use easily found information for security questions (made up answers are perfectly valid answers to security questions, as long as you remember them or note them down in a secure fashion).

(b) Use a separate email address for your financial accounts than for your everyday Internet activities like Bogleheads.

Edit: And I would hope a financial institution has trained its call center representatives to be resistant to social engineering attacks, such that they would not do things like reset passwords over the phone, regardless of how much personally identifiable information is provided.

Mudpuppy wrote:Edit: And I would hope a financial institution has trained its call center representatives to be resistant to social engineering attacks, such that they would not do things like reset passwords over the phone, regardless of how much personally identifiable information is provided.

retiredjg wrote:We continue to have new posters who are either using their real names or something so close to their own names that they are easily identifiable. It seems to have increased lately - to several each month.

That's fine for people who don't intend to share personal information, but I think many new posters have no idea how much of their personal information they may reveal over time while working on a portfolio.

I've contacted several by PM to suggest a change. I've also notified a moderator a few times to get a change made. I'm wondering if there should be some warning (or a better warning) in the registration procedure?

The member registration screen has been modified to recommend that new members should not use their real name or email address when entering a username.

After clicking to accept the Terms of Use (I agree to these terms), there is a new line:

From:

Please note that you will need to enter a valid email address before your account is activated. The administrator will review your account and if approved you will receive an email at the address you specified.

To:

Please note that you will need to enter a valid email address before your account is activated. The administrator will review your account and if approved you will receive an email at the address you specified.

We recommend that you do not enter your real name or email address as a Username.

"Username" is capitalized to match the field name "Username" on the registration screen.

I added the email caution, as I'm seeing members use their personal email address - which is also a concern.

To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.

FreeAtLast wrote:Wow, these social media billionaires are exceeding the bounds of their previous arrogance levels, aren't they?

Uh, how much are you paying to access Facebook? Nothing, right? This is an advertising-revenue model, not a subscriber-revenue model. In order to use the service, you give something up. It has nothing to do with Zuckerberg, it has to do with the advertisers who want more data to justify what they are spending on Facebook advertisements. Revenue from that allows FB to hire staff, power servers, develop new ways of enticing you and slap trolls/spammers/hackers when they show up. That's what businesses do in the new internet economy.

Having said that most of the folks I know who are involved with homeland security etc are banned from using Facebook because of the amount of information they track on an individual. Your real name and phone number are the least of the information you give up by using that 'free' service.

So why does he need your real name to bombard you with his scam ads? How many more billions does the greedy nerd need? True, invasion of your privacy cannot be avoided in "this new internet economy" but that does not mean you should make it easier. Next they will want your SSN and older people who are trusting and the naive young who have been brainwashed into shedding their privacy may give it to them.

The problem with using your real name on the internet is that you can't change your mind about it later. Once it's out there, it's out there. Even if you later change your name on this forum, there are places like the Internet Archive that probably have a record of it.

I gave up trying to keep my name and address off the internet. Too many websites post the information and some of them charge to remove it.

My real name has even popped up on the internet from activities that happened before the public internet existed. College yearbooks, a newsletter from the days of mimeographs before photocopiers were available, etc.

Still, I don't deliberately place it out there. No good can come of it.

FreeAtLast wrote:Wow, these social media billionaires are exceeding the bounds of their previous arrogance levels, aren't they?

Uh, how much are you paying to access Facebook? Nothing, right? This is an advertising-revenue model, not a subscriber-revenue model. In order to use the service, you give something up. It has nothing to do with Zuckerberg, it has to do with the advertisers who want more data to justify what they are spending on Facebook advertisements. Revenue from that allows FB to hire staff, power servers, develop new ways of enticing you and slap trolls/spammers/hackers when they show up. That's what businesses do in the new internet economy.

Having said that most of the folks I know who are involved with homeland security etc are banned from using Facebook because of the amount of information they track on an individual. Your real name and phone number are the least of the information you give up by using that 'free' service.

So why does he need your real name to bombard you with his scam ads? How many more billions does the greedy nerd need? True, invasion of your privacy cannot be avoided in "this new internet economy" but that does not mean you should make it easier. Next they will want your SSN and older people who are trusting and the naive young who have been brainwashed into shedding their privacy may give it to them.

You know, I never did respond to BYawp, so I might as well do it now. I do not and never will belong to Facebook or any other "social media" forums. If they all were to collapse into terminal financial oblivion tomorrow, it would be fine by me. And like soboggled, I do whatever I can to protect my privacy against all intruders, digital or otherwise. Some of the suggestions in this thread have been enlightening. For example, using only totally fictitious answers to security questions is a great idea. Do you really think that some dogged hacker cannot discover what high school you attended or what year you graduated from college?

Instead of changing user names, why not allow registered users to post anonymously; it could be as simple as a checking a box "mark this post anonymous" or "contains personal details" -just like the "notify me when a reply is posted". Those posts would say "registered anonymous user" instead of "pkempfur". Admins can always identify who made the post - it just won't be displayed to non-admin users.

pkempfur wrote:Instead of changing user names, why not allow registered users to post anonymously; it could be as simple as a checking a box "mark this post anonymous" or "contains personal details" -just like the "notify me when a reply is posted". Those posts would say "registered anonymous user" instead of "pkempfur". Admins can always identify who made the post - it just won't be displayed to non-admin users.

I like this idea. Find a way to submit it as a suggestion and see what happens! Sometimes I post things about my career that I would not want my employer to see , such as quitting or saying they don't have a good retirement plan / etc . The anonymous option would not let them know that it was me saying it.

Or perhaps I was asking legal advice in a court case and my opponent was able to gain intel on what I was going to use in the case. Really anywhere you would not want data leakage to occur.

pkempfur wrote:Instead of changing user names, why not allow registered users to post anonymously; it could be as simple as a checking a box "mark this post anonymous" or "contains personal details" -just like the "notify me when a reply is posted". Those posts would say "registered anonymous user" instead of "pkempfur". Admins can always identify who made the post - it just won't be displayed to non-admin users.

I like this idea. Find a way to submit it as a suggestion and see what happens! Sometimes I post things about my career that I would not want my employer to see , such as quitting or saying they don't have a good retirement plan / etc . The anonymous option would not let them know that it was me saying it.

Or perhaps I was asking legal advice in a court case and my opponent was able to gain intel on what I was going to use in the case. Really anywhere you would not want data leakage to occur.

Great idea!

In general, many (some?) of use use info/background from other posts when giving suggestions.
Operating in a vacuum could lose some of that "relevant" information.

However, there IS a way to do this anonymously for occasional specific needs.
There have been a very few "new posters" who are announced as "an ongoing BH member who requests anonymity for this particular issue".
Best of both worlds (?).

Note that this might not avoid a subsequent discovery demand (to BH) IF someone found BH and the posts and decided maybe it was "my opposing party" or such.
(My understanding is that BH won't voluntarily reveal confidential info, but would comply with legally mandated orders such as a subpoena for records.)

What happens when two "registered anonymous user"s post in the same thread? Then things will really get confused. I don't think this idea will work.

The solution is for people to use anonymous user names and realize that before they actually sign up. I think a lot of people sign up not realizing how much personal information may get revealed over the months or years. They start feeling safe and post things that are too revealing.

retiredjg wrote:What happens when two "registered anonymous user"s post in the same thread? Then things will really get confused. I don't think this idea will work.

The solution is for people to use anonymous user names and realize that before they actually sign up. I think a lot of people sign up not realizing how much personal information may get revealed over the months or years. They start feeling safe and post things that are too revealing.

In the real situation I've described just above, each "temporarily anonymous poster" has a new user name.

These could (and have been, IIRC) situations where an anonymous user name was originally used, but the concern was that over time, there might be enough "details" to help with possible identification, *IF* someone ended up heading in that direction.
Hence the separate, temporary new ID for a specific situation.

- Posting as "anonymous" prevents members from searching their posts.
- Someone posting bad or misleading advice (let's assume it's unintentional) will be very difficult to identify for subsequent follow ups.

For those concerned about privacy, we have provisions which allow username changes or creating an alternative account. See: Usernames (accounts), second paragraph.

To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.

retiredjg wrote:What happens when two "registered anonymous user"s post in the same thread? Then things will really get confused. I don't think this idea will work.

The solution is for people to use anonymous user names and realize that before they actually sign up. I think a lot of people sign up not realizing how much personal information may get revealed over the months or years. They start feeling safe and post things that are too revealing.

In the real situation I've described just above, each "temporarily anonymous poster" has a new user name.

These could (and have been, IIRC) situations where an anonymous user name was originally used, but the concern was that over time, there might be enough "details" to help with possible identification, *IF* someone ended up heading in that direction.
Hence the separate, temporary new ID for a specific situation.

RM

RM, I was not talking about your idea. What you suggested does work. I was saying that pkempfur's idea won't work.

FreeAtLast wrote:Wow, these social media billionaires are exceeding the bounds of their previous arrogance levels, aren't they?

Uh, how much are you paying to access Facebook? Nothing, right? This is an advertising-revenue model, not a subscriber-revenue model. In order to use the service, you give something up. It has nothing to do with Zuckerberg, it has to do with the advertisers who want more data to justify what they are spending on Facebook advertisements. Revenue from that allows FB to hire staff, power servers, develop new ways of enticing you and slap trolls/spammers/hackers when they show up. That's what businesses do in the new internet economy.

Having said that most of the folks I know who are involved with homeland security etc are banned from using Facebook because of the amount of information they track on an individual. Your real name and phone number are the least of the information you give up by using that 'free' service.

Actually it has everything to do with Zuckerberg and how he chooses to do business. I am not on facebook because he wants payment for something I will not give. I am very happy to not be constantly facebooking. I would rather be Bogleheading.

... my observation is that there is a significant generational shift going on around this sentiment. Increasingly, the younger generation has no expectation of or desire for privacy. Many put everything on the Internet, and we can't save everyone from themselves. If they want to make these disclosures, so be it.

I agree with this. I share the sentiment that one should be careful not to disclose too much personal information on the internet (that is why my username is anonymous), but I do not think it is up to me or the moderators of this forum to make that decision for others.

My user name is a foundation Quarter Horse Stallion - Silk McCue. We actually had grandaughters of Wimpy P-1, the very first registered Quarter Horse but I felt Wimpy was not a good username Silk was a great grandsire on the Dams side. After being on the forum for a year and referring some friends here I realized that one day I would want to post some specifics that could possibly be recognized by my original user_id. Unlikely that someone would make the connection but wasn't interested in taking a chance. I submitted a request to LadyGeek and she took care of it for me.

Quick word of warning. I'm just an ordinary person/corporate stooge/former reporter who knows how to use Google, but...one user mentioned he used his real name on this forum. Out of curiosity, I tried to see how much I could find about him on the internet just going off of his "real name" and his posts.

I found his company and work-related contact information. His home address, as well as house much he bought the house for. His kids' names, ages, and schools. From there, his kids' Facebook pages. His Facebook page, which included vacation dates and locations. All of this correlated with information he'd posted here, so I could confirm it was the same person.

Just...be careful, and be honest with yourself about how much information you're posting on the internet. BHs are an ethical bunch, in general, but this is a public forum. A hacker could find ten times the information I did ten times faster.

Quick word of warning. I'm just an ordinary person/corporate stooge/former reporter who knows how to use Google, but...one user mentioned he used his real name on this forum. Out of curiosity, I tried to see how much I could find about him on the internet just going off of his "real name" and his posts.

I found his company and work-related contact information. His home address, as well as house much he bought the house for. His kids' names, ages, and schools. From there, his kids' Facebook pages. His Facebook page, which included vacation dates and locations. All of this correlated with information he'd posted here, so I could confirm it was the same person.

Just...be careful, and be honest with yourself about how much information you're posting on the internet. BHs are an ethical bunch, in general, but this is a public forum. A hacker could find ten times the information I did ten times faster.

This is EXACTLY why I started this thread.

People join with the idea that they won't reveal much or that it does not matter....but so much does get revealed in the long run. And it does matter.

Even if you never intend to ask questions here, do not use anything like your real name and certainly do not include things like "my kid turned 7 today", etc.

People join with the idea that they won't reveal much or that it does not matter....but so much does get revealed in the long run. And it does matter.

Even if you never intend to ask questions here, do not use anything like your real name and certainly do not include things like "my kid turned 7 today", etc.

I think the problem is that when you start you may not realize just how much information you'll end up giving out. You start off as a lurker, maybe ask a few general questions, and then you eventually start asking for personalized advice. The more info you give, the better advice you get. Sometimes well-intentioned posters will actively seek out additional detail in order to provide better help. Before you know it you've shared enough info for people that already know you in real life to spot you despite your anonymous username like "KenFromMaryland56" (in real life, James, from Nevada, 44) even if you've tried to be sufficiently discrete/fuzzy in the info that your deal out. And people that know you in real life aren't even the ones you need to worry about. It's the nasty criminal types.

Unfortunately, once you've gone too far down this path, there is no real way out. You could ask an admin to delete your account, I guess, but I bet they won't delete all the threads you've been in. Once the genie is out of the bottle, it can't be put back in.